Clientless VPN and Java/Javascript

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Clientless VPN and Java/Javascript

L1 Bithead



We have a clientless VPN and app set up to use https on tcp 8443 but the page is not displaying at all. Connectivity has been proven end to end so all the rules are in place.

The app points to a webserver that hosts a portal and uses Javascript.


Some debugging was carried out on the client browser side and a comparison of going through the clientless VPN and not going through the VPN showed the Palo inserting various code. I know the Palo does URL re-writes but can anyone explain what the "pan_eval((function()" and "?gp-7" is? I guess it's something to do with Java but unfortunately I have no experience of it.


Many thanks.




These are some of the extracts from the debug whilst going through the VPN and the inserted elements:

<script src=""></script><base href="/http-8443/">

  <script type="text/javascript" src="assets/js/css-vars-ponyfill.min.js?gp-7"></script>

  <script type="text/javascript">



This whole content has been added by the Palo:

).toString().slice(12, -2),__pan_site_rules,1);</script>

  <link rel="stylesheet" href="assets/css/vendor/katex.min.css" defer />

  <link rel="stylesheet" href="assets/css/vendor/prism.css" defer />

  <link rel="stylesheet" href="assets/css/vendor/notebook.css" defer />

  <link rel="stylesheet" href="assets/css/nbpreview.css" defer />

  <link rel="stylesheet" href="assets/css/cssvariables.css" />

<link rel="stylesheet" href="styles.css"></head>


This is where ?gp-7 added



  <script src="assets/js/jquery-3.4.1.min.js?gp-7" defer></script>

  <script src="assets/js/jquery.sparkline.min.js?gp-7" defer></script>

  <script src="assets/js/d3.min.js?gp-7" defer></script>

  <script src="assets/js/raw.js?gp-7" defer></script>

  <script src="assets/js/papaparse.min.js?gp-7" defer></script>

  <script src="assets/js/pivot.js?gp-7" defer></script>

  <script src="assets/js/jcf.js?gp-7" defer></script>

  <script src="assets/js/jsencrypt.js?gp-7" defer></script>

  <script src="assets/js/katex-0.6.0.js?gp-7" defer></script>


  <script type="text/javascript" src="assets/js/vendor/es5-shim.min.js?gp-7" defer></script>

  <script type="text/javascript" src="assets/js/vendor/marked.min.js?gp-7" defer></script>

  <script type="text/javascript" src="assets/js/vendor/ansi_up.min.js?gp-7" defer></script>

  <script type="text/javascript" src="assets/js/vendor/prism.min.js?gp-7" defer></script>

  <script type="text/javascript" src="assets/js/vendor/katex.min.js?gp-7" defer></script>

  <script type="text/javascript" src="assets/js/vendor/katex-auto-render.min.js?gp-7" defer></script>

  <script type="text/javascript" src="assets/js/vendor/notebook.min.js?gp-7" defer></script>


<script src="runtime.js?gp-7"></script><script src="polyfills.js?gp-7"></script><script src="scripts.js?gp-7"></script><script src="main.js?gp-7"></script></body>



1 accepted solution

Accepted Solutions



We finally got this working.

Under "Network\GlobalProtect\Clientless Apps" we had an application with the "Application Home URL" configured with an IP address rather than a URL with the server hostname. Once this was changed we could connect to the server OK.


Hope this helps.



View solution in original post


L0 Member

Hi all, I'm also facing the same issue. Seems like the javascript that global protect wraps stops it from loading. Has anyone found a solution to this?



We finally got this working.

Under "Network\GlobalProtect\Clientless Apps" we had an application with the "Application Home URL" configured with an IP address rather than a URL with the server hostname. Once this was changed we could connect to the server OK.


Hope this helps.



that didn't work for us. All of our applications have an FQDN URL entered, but we're still having the issues described above. The only thing that helps us is if you outsource the Javascript files to an external server and exclude them from the clientlessvpn configuration. It looks like the reverse proxy is not properly ending the javascript files with a parenthesis. This is displayed to me in the web developer window of the google chrome browser.

best regards

L1 Bithead

Seem like I'm facing this issue too.
For my scenario, web page doesn't update after press confirm button on popup.
I try to debug, compare and found some strange in java script section, I need to consoult with TAC and web team.

L0 Member

In my case was the Hostname of the Clientless VPN Portal that was with an IP, we changed it to a valid hostname and got resolved even when the internal apps configured with an IP.

You mean here right?:


That's already a DNS name and not an IP address, unfortunately that's not our problem, but thanks for the tip.

  • 1 accepted solution
  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!